Scammers managed to slip crypto apps onto Apple, Google app stores

Scammers were able to get two fraudulent apps onto the app stores run by both Google and Apple that allowed them to push users into making fake cryptocurrency investments, according to a new report.

Researchers from Sophos said they discovered Ace Pro and MBM_BitScan on both Google’s Play Store and Apple’s App Store. The apps are part of a scheme – now known colloquially as “pig butchering” – where scammers develop a relationship with victims, get them to download an app and then eventually get them to deposit money onto the app.

Jagadeesh Chandraiah, senior threat researcher at Sophos, said in one case, the scammers created a fake profile of a woman living a lavish life in London. They developed a relationship with a victim and urged them to download the Ace Pro app – which masquerades as a QR code scanner.

But once the app is downloaded, users see a fraudulent crypto trading platform that urges them to deposit currency. All of the funds deposited go directly to the scammers. One victim that contacted Sophos only discovered the apps were fraudulent after losing $4,000.

Chandraiah said it was most surprising that the apps made it onto Apple’s App Store considering how hard it generally is to get malware past the company’s security review process. While other malicious apps have been found on the Play Store, this is the first time Sophos found fraudulent apps on Apple’s store in their two years examining pig butchering scams.


Scammers previously had to go through far more technical trouble to get Apple users to download fake apps, and many victims figured out something was wrong when they couldn't simply download an app directly.

“By getting an application onto the App Store, the scammers have vastly increased their potential victim pool, particularly since most users inherently trust Apple,” Chandraiah said. 

“Both apps are also not affected by iOS’ new Lockdown mode, which prevents scammers from loading mobile profiles helpful for social engineering. In fact, these CryptoRom scammers may be shifting their tactics—i.e., focusing on bypassing the App Store review process—in light of the security features in Lockdown.”

A redirected domain

Chandraiah explained that Sophos believes the scammers were able to get past App Store security by connecting it to a remote website with benign functionality when it was originally submitted for review. The domain included code for QR scanning to make it look legitimate to app reviewers, Chandraiah said.


But once the app was approved, the scammers were able to redirect it to a domain registered in an unnamed country in Asia. 

The other app, MBM_BitScan, is known as BitScan on Google Play and both apps communicate with the same Command and Control (C2) infrastructure which communicates with a server that resembles a legitimate Japanese crypto firm. 

Both Google and Apple were notified by Sophos about the apps and both companies said they removed them. 

Apple did not respond to requests for comment. A Google spokesperson told The Record: “The Android app identified as malicious in the report has been removed from Google Play and the developer has been banned."

Sophos was initially alerted to the scam apps by victims, kicking off their two-year investigation into the trend. “Pig butchering” scams have become wildly popular among cybercriminals as online dating has exploded and more people have become comfortable with sending money digitally. 


A text sent to one victim by the scammers.

“CryptoRom and other forms of “pig butchering” initially targeted people in China and Taiwan. Early scams focused on online gambling with insider information, using similar tactics to CryptoRom. Over the course of the COVID-19 pandemic, the scams expanded globally and evolved into fraudulent foreign exchange and cryptocurrency trading. We are tracking this threat actor as the ‘ShaZhuPan’ group,” Chandraiah said. 

“When Chinese authorities started cracking down on these scams and prosecuted some perpetrators, some of the gangs behind them fled to smaller southeast Asian countries, including Cambodia, where they now operate in special economic zones (SEZ).”

The groups take advantage of lax money laundering laws and human trafficking in countries like Cambodia to staff their operations, according to Sophos. Economic disruptions from COVID-19 forced many into taking job offers abroad that ended up being fraudulent and turned out to be tied to pig-butchering rings.

Many – being trafficked from countries like India, China and Malaysia – had their passports confiscated and were forced to work for these operations to get their passports back. They are given scripts to follow when approaching victims and instructions on how to get victims to send money. 

Sophos noted that while it may seem far-fetched that anyone would fall for these scams, the victims they spoke to were almost always well-educated. Most victims noted that their relationships with the scammers lasted months and that they were allowed to make small profits from their initial transactions on the fraudulent financial websites or apps. 

Many of the scammers also share fake screenshots of the money they are purportedly making from the fraudulent platforms. Most of the victims who spoke to Sophos said they had recently dealt with a major life change and were emotionally vulnerable to this kind of operation, where scammers contacted them daily and shared mundane life updates.


Fake photos shared with one victim of the scam apps.
Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.